[Openswan Users] RDP from internal NET to VPN client fails, and some other strangness..

dashnu dashnu at gmail.com
Mon Nov 20 09:17:39 EST 2006 

Still no luck. I have done the following things.

Changed iptables rules.
Input:
# ICMP
$IPT -N icmp-traffic
$IPT -A icmp-traffic -p icmp --fragment -j DROP
$IPT -A icmp-traffic -p icmp --icmp-type echo-reply -m limit \
--limit 1/s -j ACCEPT
$IPT -A icmp-traffic -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
$IPT -A icmp-traffic -p icmp --icmp-type time-exceeded -m limit \
--limit 1/s -j ACCEPT
$IPT -A icmp-traffic -p icmp --icmp-type fragmentation-needed -m limit \
--limit 1/s -j ACCEPT
$IPT -A icmp-traffic -p icmp -j DROP

Output:
$IPT -N allow-icmp-traffic-out
$IPT -A allow-icmp-traffic-out -p icmp --icmp-type echo-request -j  
ACCEPT
$IPT -A allow-icmp-traffic-out -p icmp --icmp-type time-exceeded -j  
ACCEPT
$IPT -A allow-icmp-traffic-out -p icmp --icmp-type fragmentation- 
needed -j ACCEPT
$IPT -A allow-icmp-traffic-out -p icmp -j DROP

Limit should keep me out of trouble as far DOS attacks go.. and I  
would imagine this limit would not interrupt regular use.

A list of my /proc entries I have changed a few...

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc

I think with that last option and my new icmp rules pmtu should be  
working.

And last I changed options.l2tp the mtu & mru to 1200.

So with all this being said, I was able to make it past RDP login and  
the desktop began to load soon after I lost the VPN connection...
I made it a bit further....

Any thought on my current setup? Do I have anything set incorrectly?  
Any other ideas?

TIA

-Brett
On Nov 16, 2006, at 10:05 PM, Paul Wouters wrote:

> On Thu, 16 Nov 2006, dashnu wrote:
>
>> Hello again. After reading a few more links on Jacco's site, I am  
>> wonder some
>> things.
>>
>> I block ICMP and enable path MTU which I now see is absolutely  
>> pointless and
>> not wise..
>>
>> If I allow icmp & enable pmtu would this solve my issue? If so  
>> icmp type 3 all
>> i need to allow in?
>>
>> Any major risks involved with doing this?
>
>
> filtering icmp is never a good idea. At most only filter the known  
> dangerous
> types of icmp (eg routing changes) and the echo request/reply.  
> Don't filter
> the other types of icmp.
>
>> Another thing is I really have no control over the other end... If  
>> they have
>> icmp filtered at the router level or in windows I will again run  
>> into this
>> problem I would assume.
>
> That is why Windows and OSX run the vpn devices with a lowered mtu.  
> Windows does
> 1440 i believe and OSX does 1200.
>
> Paul

More information about the Users mailing list